Alibaba Open Source team believes that developers and researchers should act responsibly for the vulnerability. Vulnerability disclosure policy could result in protecting our users of the Internet.
This policy only works on following programs:
If you believe you have found any security (technical) vulnerability in the products or services of Alibaba Group, you are welcomed to submit a vulnerability report on ASRC platform (https://security.alibaba.com/ ). You can find the state of your report on the platform.
In case of reporting any security vulnerability, please be noted that you may include following information (Qualified Reporting):
- The product name.
- A detailed description with necessary screenshots.
- Versions of components related to the vulnerability.
- Steps to reproduce the vulnerability and your advice to fix it.
- Other useful information
For the policy of vulnerability scope and reward, you can visit Vulnerability Rewards Program V2.0. The related open source products are defined as core businesses.
Related open source vulnerabilities reported to the ASRC will be disclosed in Vulnerability Notes to the public 90 days after the initial report. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure.